Skip to content
Snippets Groups Projects
Normal view Permalink
mediadrmserver.te 2.31 KiB
Newer Older
  • Learn to ignore specific revisions
    • Jeff Tinker's avatar
    Add mediadrm service
    Jeff Tinker committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 
    # mediadrmserver - mediadrm daemon
type mediadrmserver, domain;
type mediadrmserver_exec, exec_type, file_type;

typeattribute mediadrmserver mlstrustedsubject;

net_domain(mediadrmserver)
init_daemon_domain(mediadrmserver)

binder_use(mediadrmserver)
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)

# Required by Widevine DRM (b/22990512)
allow mediadrmserver self:process execmem;

# System file accesses.
allow mediadrmserver system_file:dir r_dir_perms;
allow mediadrmserver system_file:file r_file_perms;
allow mediadrmserver system_file:lnk_file r_file_perms;

# Read files already opened under /data.
allow mediadrmserver system_data_file:dir { search getattr };
allow mediadrmserver system_data_file:file { getattr read };
allow mediadrmserver system_data_file:lnk_file r_file_perms;

# Read access to pseudo filesystems.
r_dir_file(mediadrmserver, cgroup)
allow mediadrmserver cgroup:dir { search write };
allow mediadrmserver cgroup:file w_file_perms;

# Allow access to ion memory allocation device
allow mediadrmserver ion_device:chr_file rw_file_perms;

# Allow access to app_data and media_data_files
allow mediadrmserver media_data_file:dir create_dir_perms;
allow mediadrmserver media_data_file:file create_file_perms;
    Jeff Tinker's avatar
    Allow mediadrmserver to access media files  
    Jeff Tinker committed
    39 
    allow mediadrmserver media_data_file:file { getattr read };
    Jeff Tinker's avatar
    Add mediadrm service
    Jeff Tinker committed
    40 41 42 43 44 45 46 47 48 49 50 
    
allow mediadrmserver tee_device:chr_file rw_file_perms;

# XXX Label with a specific type?
allow mediadrmserver sysfs:file r_file_perms;

# Connect to tee service.
allow mediadrmserver tee:unix_stream_socket connectto;

allow mediadrmserver mediadrmserver_service:service_manager { add find };
allow mediadrmserver mediaserver_service:service_manager { add find };
    Jeff Tinker's avatar
    Allow mediadrmservice to access processinfo  
    Jeff Tinker committed
    51 
    allow mediadrmserver processinfo_service:service_manager find;
    Jeff Tinker's avatar
    Fix SELinux denials for protected content playback  
    Jeff Tinker committed
    52 
    allow mediadrmserver surfaceflinger_service:service_manager find;
    Jeff Tinker's avatar
    Add mediadrm service
    Jeff Tinker committed
    53 54 
    
# only allow unprivileged socket ioctl commands
    Jeff Vander Stoep's avatar
    ioctls: move commonly used tty ioctls to macro  
    Jeff Vander Stoep committed
    55 56 
    allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
    Jeff Tinker's avatar
    Add mediadrm service
    Jeff Tinker committed
    57 58 59 60 61 62 63 64 65 66 67 
    
###
### neverallow rules
###

# mediadrmserver should never execute any executable without a
# domain transition
neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;

# do not allow privileged socket ioctl commands
neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;